You are here

Linux kernel rp_filter settings (Reverse path filtering )

Submitted by Sarath Pillai on Thu, 02/28/2013 - 00:38

The main functionality of a router is to route packets from one place to another. Linux machine can be used as router on your network that will route substantial amount of traffic without any issues, if configured correctly.

Due to the increasing amount of malicious and attack traffic on the internet, it has become very much necessary to take some extra care while configuring routes on a Linux machine or physical router's.

One of the major problem that internet security people are dealing with today, is spoofing.

What is IP address spoofing?

IP spoofing is a method adopted by attacker's to send forged source address in their attack traffic.Which means they can send an IP packet with an IP address of their wish.

Most of the time's spoofing is used by an attacker mainly for the following reasons.

To conduct a DDOS attack ,and he does not want the response from the target machine to reach him

To compromise source based authentication

Spoofing can be controlled to a cerain extent by using Reverse Path filtering(not fully although).

What is reverse path filtering?

Reverse path filtering is a mechanism adopted by the Linux kernel, as well as most of the networking devices out there to check whether a receiving packet source address is routable.

So in other words, when a machine with reverse path filtering enabled recieves a packet, the machine will first check whether the source of the recived packet is reachable through the interface it came in.

If it is routable through the interface which it came, then the machine will accept the packet

If it is not routable through the interface, which it came, then the machine will drop that packet.

Latest red hat machine's will give you one more option. This option is kind of liberal in terms of accepting traffic.

If the recieved packet's source address is routable through any of the interfaces on the machine, the machine will accept the packet.

All the folder's in the above shown output has the file rp_filter. I will recommend enabling it by modifying the file /proc/sys/net/ipv4/conf/all/rp_filterfile, if you Reverse filtering very strictly.This can be done by simply redirecting your desired boolean value(1 or 0) to the desired file.